From: RG on 13 Aug 2010 13:58 Is there a reason why an account, having administrative privileges to the local machine, other than localsystem, should not be used to run various sql services? Thanks in advance
From: Jeroen Mostert on 13 Aug 2010 16:04 On 2010-08-13 19:58, RG wrote: > Is there a reason why an account, having administrative privileges to the > local machine, other than localsystem, should not be used to run various sql > services? > The principle of least privilege. Most services don't need access to anything except the database files. You don't need administrative permissions for that. "Local System" is actually worse than a custom local administrative account because it has even more permissions initially (of course, any administrator can grant themselves the same permissions because, well, they're *administrators*). Contrary to what people think, "Local System" is not a safe choice because it has "local" in the name; it's the "system" part you should focus on. Consider the scenario where an outside user connects to a service, exploits a buffer overrun and manages to execute arbitrary code in the context of that service. If the service is running with administrative or system permissions, you've just handed the attacker the keys to the kingdom. For example, it no longer matters if you've set up your SQL Server to use Windows authentication or encryption, because the compromised service can be used to read the data files or system memory directly. As the machine itself is now compromised, it's also a prime staging area for attacks on the rest of the domain. You're best off creating an account especially for SQL Server and giving it exactly the permissions it needs (read/write on its directory), and no more. Barring that, a local non-administrative account like Local Service or Network Service will do (although these already have too much permission for comfort, like the ability to shutdown the machine). Don't ever use Local System or an administrative account because it's easier. Setting up permissions only needs to happen once, so does having your server hacked into, and it's easy to see which is the lesser of two evils. -- J.
|
Pages: 1 Prev: What does red cross icon mean beside server name in SSMS in sq Next: Impersonation Question |